Computer Networks 163 (2019) 106870

Contents lists available at ScienceDirect

Computer Networks
journal homepage: www.elsevier.com/locate/comnet

Game-based adaptive anomaly detection in wireless body area

networks
Amel Arfaoui a,b,∗, Ali Kribeche b, Sidi Mohammed Senouci b, Mohamed Hamdi a
a
Digital Security Unit, SupCom University of Carthage, Tunisia
b
DRIVE EA 1859, University Bourgogne Franche Comté, France

a r t i c l e i n f o a b s t r a c t

Article history: Wireless Body Area Network (WBAN) is a quite suitable communication tool for medical IoT devices
Received 1 January 2019 that are deployed to collect physiological parameters and forecast real-time events in order to facilitate
Revised 29 July 2019
the diagnostic decision-making for the medical staff. However, sensor readings may be inaccurate due
Accepted 29 July 2019
to resource-constrained devices, sensor misplacement, hardware faults, and other environmental factors.
Available online 31 July 2019
Therefore, anomaly detection is envisioned as a promising approach to deal with unreliable and mali-
Keywords: cious data injection to improve remote patient monitoring systems and reduce false medical diagnosis.
IoT In this context, several data analysis and machine learning tools have been proposed to detect abnormal
Health deviations in WBAN. Nevertheless, no one considers the dynamic context changes of WBAN to provide
WBAN adaptive and dynamic outlier detection. In addition, most of them ignore the co-existence of strong spa-
Game theory tial and temporal correlations between monitored physiological attributes. To this end, we propose a
Adaptive anomaly detection
two-level lightweight and adaptive anomaly detection approach to discard false alarms caused by faulty
measurements and raise alarms only when a patient seems to be in emergency situations. In the first
level, a game-theoretic technique is introduced wherein body-worn sensor nodes exploit the spatiotem-
poral correlation among readings to locally and adaptively detect anomalous events according to the dy-
namic context changes of WBAN. In the second level, we apply the Mahalanobis distance in the Local
Processing Unit (LPU) which has a global view for multivariate analysis. Our main objective is to ensure a
tradeoff between detection accuracy, false positive rates, and network performance while considering the
WBAN environment constraints. The proposed approach is evaluated through numerical simulations on a
real physiological data set. Simulation results prove the effectiveness of the proposed approach in terms
of achieving high detection accuracy with low false alarm rate and energy consumption.
© 2019 Elsevier B.V. All rights reserved.

1. Introduction In the diverse kinds of networks, Wireless Body Area Network

(WBAN) has been perceived as one of the most promising wireless
Recent technological advances in wireless communication, sensor technologies for improving healthcare services thanks to its
ubiquitous sensing, and pervasive computing have performed a sig- potential for continuous and real-time monitoring of health condi-
nificant role in emerging Internet of Things (IoT) paradigm. It has tions. In WBAN, autonomous sensors are deployed to transmit col-
tremendous potential to create value and provide appropriate so- lected data to the Local Processing Unit (LPU) that performs both
lutions for a wide range of applications such as smart cities, visual online and offline processing of body sensors data [5]. Several clin-
sensing, image communication [1,2] and healthcare which repre- ical conditions can be prevented or alleviated using WBANs, where
sents one of the most attractive application areas for the IoT [3]. In the real-time data can be used to remotely monitor the evolving
fact, IoT-based healthcare revolution has redefined modern health- state of the patient’s state, for early and fast detection of clinical
care services such as remote health monitoring, medical data ac- emergency [6]. For instance, the early detection of the myocardial
cess, and early detection of medical anomalies symptoms. ischemia which precedes heart attacks prevents serious complica-
tions and damage of the heart. However, the harsh environmen-
tal conditions and stringent resource constraints of sensor nodes
∗
Corresponding author at: Digital Security Unit, SupCom University of Carthage, [4] may lead to unreliable and inaccurate sensors’ measurements
Tunisia. and consequently wrong diagnoses and inappropriate treatments
E-mail addresses: [email protected] (A. Arfaoui), Ali.Kribeche01@u- [8,9]. In such a stochastic environment, unreliable data may re-
bourgogne.fr (A. Kribeche), [email protected] (S.M. Senouci),
[email protected] (M. Hamdi).
sult from several reasons like hardware failure, noise, compromised

https://doi.org/10.1016/j.comnet.2019.106870
1389-1286/© 2019 Elsevier B.V. All rights reserved.
2 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870

sensors, malfunction, health state degradation, maliciously injected related sensory readings to the gateway device given that faulty
data, redundant data, etc. The above issues introduce high false measurements are uncorrelated. The decision-making is based on
alarms rate that affects the trust level in such monitoring system, the granular view of the context to reliably distinguish between
where reliability is a primordial requirement to ensure accuracy cases where temporal correlation should be applied for energy ef-
in healthcare systems. In [7], the authors show that sensor nodes ficiency and other cases where detection accuracy should be privi-
are the first source of unreliability in WBANs, and such monitoring leged through neighborhood information. The novelties of our pro-
system will not be adopted by healthcare providers and patients if posed model are summarized as follows:
not reliable.
• A theoretical framework that exploits the spatiotemporal corre-
As a result, anomaly detection has become a critical task to pre-
lation between physiological parameters and the contextual in-
serve accuracy and distinguish between faulty measurements and
formation to select the most appropriate outlier detection strat-
emergency conditions in order to reduce false alarms and ensure
egy under a given situation,
reliable diagnostic results [10]. For this purpose, various anomaly
• A mathematical model that represents the dynamic context
detection systems have been proposed to identify and isolate faulty
changes affecting the adaptive cooperative decision between
sensors’ readings [11–14]. For instance, in [12], the authors used a
sensor nodes to detect anomalies,
machine learning algorithm to build a classification model that dif-
• A novel game-theoretic approach to model the dynamic coop-
ferentiates normal and abnormal data. However, such proposal suf-
eration between sensor nodes in order to ensure a trade-off be-
fers from high complexity and requires training data that are often
tween the detection accuracy of the adopted policy and its im-
skewed or even unavailable in practice. Recently, several research
pact on the network performance.
works have exploited the spatiotemporal correlation among sensor
data attributes for anomaly detection to improve the detection ef- The rest of the paper proceeds as follows. Section II highlights
ficiency through data dimension reduction [14–16]. However, they some previous work related to anomaly detection systems. In Sec-
do not incorporate the contextual information with spatial or tem- tion III, we present the proposed distributed approach for anomaly
poral correlations. In fact, they perform static decisions and ignore detection. A context-aware stochastic game for adaptive anomaly
the quality metrics such as reliability, time complexity, scalability, detection is formulated in Section IV. Numerical simulation results
communication and computation costs that affect the performance are provided in Section V. Finally, Section VI concludes the paper.
of the anomaly detection process. Unlike the existing anomaly de-
tection solutions, we address the conflict between the detection 2. Related work
accuracy and the network performance (energy consumption, la-
tency, memory workload) in the dynamic context of WBAN dur- WBAN has drawn a significant attention as a cost-effective so-
ing the detection process. In this paper, we propose an adaptive lution for ubiquitous healthcare monitoring. However, it still faces
anomaly detection approach to detect abnormal patterns and dif- many challenges (such as data reliability, early event detection, en-
ferentiate between real emergency situations and faulty measure- ergy consumption, computation capacity, timely delivery of emer-
ments. Specifically, we exploit the spatiotemporal correlation while gency traffic) that may limit its effectiveness as a pervasive moni-
taking into account the effects of neighborhood size, the aggrega- toring tool. Therefore, online anomaly detection in WBAN is a chal-
tion delay, and the sensor nodes capabilities for the anomaly de- lenging task that reveals errors and significant events. Different
tection decision. approaches for outlier detection have been proposed to provide
The main contribution of this paper is to ensure a trade-off be- accurate information about the network status and the surround-
tween detection accuracy and network performance while consid- ing environment (e.g. residual energy, channel state, compromised
ering the dynamic context changes and system information (the nodes, faulty readings, unexpected event…) leading to an appropri-
available resources in the specific context). The proposed approach ate decision-making [17,18]. Existing anomaly detection approaches
achieves a distributed outlier detection to fine-tune classification in the literature can be roughly classified as statistical methods,
accuracy and communication complexity. Each sensor can decide machine learning (ML), and game theory.
whether or not to cooperate with other nodes to perform local de- The essential principle of statistical approaches [19–21] is to
tection. Hence, a dynamic and adaptive construction of the deci- build a reference model for the data and compute the probabil-
sion to cooperate for the sensor nodes according to the contextual ity distribution that a sensory reading is generated by that nor-
information is performed. Specifically, we formulate this problem mal model. Any deviation below a given threshold is considered
using a game-theoretical approach to model the conflicts between as an anomaly. In [19] authors proposed a prediction-based ap-
anomaly detection accuracy and energy efficiency. Indeed, game proach that considers neighboring data segments to collectively
theory is a decision-making process that provides an effective tool detect anomalies in WSNs. However, the proposed model is well
to model the interactions between several rational selfish entities suited for only spatially correlated data. In [20], authors proposed a
with conflicting interests and determine the desirable equilibrium prediction model to evaluate the difference between actual sensed
from which no entity can achieve better benefit [24]. In this study, data and the predicted value on the basis of historical measure-
we especially focus on the stochastic game as an appropriate tool ments. The difference is compared with a given threshold to ascer-
to model and handle a dynamic and stochastic environment such tain whether sensed data is faulty. In [21], a distributed anomaly
as WBAN where the context conditions are continuously and fre- detection model in WBAN is presented where sensor nodes ex-
quently changing. The main purpose of this work is to maximize ploit the Exponentially Weighted Moving Average (EWMA) tech-
detection accuracy and prolong sensor’s lifetime. nique for forecasting, to figure out the deviation between expected
Anomaly detection is carried out by exploiting the multivariate and sensed data. The LPU applied chi-squared distance and Kernel
spatiotemporal correlation between physiological parameters. The Density Estimator (KDE) techniques to discard uncorrelated data
temporal correlation is defined as the dependencies between the before raising alarm to caregivers. Although statistical models are
current attribute reading and the measurements at the previous characterized by their low computational complexity, they gener-
time instants, while the spatial correlation indicates the correla- ally require supervised learning. Furthermore, all the aforemen-
tion between the different attributes. For the local detection, each tioned approaches have on common that they do not consider the
sensor node chooses to apply temporal correlation and transmit energy aspect which can cause outliers [22].
the temporal deviations to the LPU or exploit the spatiotemporal Machine learning (ML) approaches define a classification model
correlation based on neighborhood information and send only cor- to distinguish normal data from abnormal patterns by separat-
 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870 3

Table 1
Comparison of different anomaly detection techniques in WBAN.

Technique Method Data dimension Detection Mode Context Adaptability Correlation

[19] Statistical Multivariate distributed – + spatial

[20] Multivariate centralized – – Spatial temporal
[21] Multivariate distributed – – Spatial temporal
[11] ML Multivariate distributed – – Spatial temporal
[12] Multivariate centralized – – Spatial temporal
[18] Multivariate centralized – – Spatial temporal

ing them into 2 classes. Various algorithms have been applied to rent literature reveals limited suitable techniques for outlier detec-
deal with the anomaly detection issue in WBAN. For instance, Sup- tion in WBAN. In fact, none of the above works consider the dy-
port Vector Machine (SVM) techniques [11,12,17,18,23], have gained namic context changes and the resource scarcity of biosensors to
broad attention due to their optimum solution and detection ac- provide dynamic and adaptive anomaly detection. In addition, ma-
curacy. They exploit the principle of classification similarity, where chine learning techniques face the challenge of data labeling with
a data set is partitioned into dense regions and an observation is balanced classes to define the classification model. Indeed, training
considered as an outlier if it falls outside them. In [11], the au- data are often skewed or even unavailable in practice. Furthermore,
thors proposed an anomaly detection method in WBAN where they they suffer from high computational complexity which make them
adopt a decision tree algorithm for classification and linear regres- inadequate for resource-constrained devices. These issues make the
sion as a forecasting tool. An alarm is raised when the actual value build of a classification model a challenging task. A common prob-
of more than one attribute deviate from the estimated reading. In lem with the most of existing anomaly detection approaches in
[12], the authors developed another model to recognize abnormal WBAN is the lack of consideration of both spatial and temporal
behavior in WBAN. They exploit linear SVM to identify abnormal correlations among sensors’ readings. For instance, in [28], authors
instances and linear regression for prediction purposes. However, note that only limited studies exploit the spatiotemporal correla-
in their both models, they did not use a sliding window to up- tion for anomaly detection.
date the training data. Furthermore, linear regression is inadequate To address the above problems, we propose a distributed and
prediction tool in WBAN where the physiological parameters have adaptive anomaly detection approach. Specifically, we exploit the
dynamic changes. In [23], the authors presented a wearable sen- effectiveness of stochastic game to model and analyze the inter-
sor platform to differentiate between mental stress states and re- actions among medical IoT devices in a dynamic WBAN environ-
laxation states using logistic regression. Nevertheless, they did not ment in order to ensure a tradeoff between the anomaly detec-
consider that the values can be corrupted due to hardware failure. tion accuracy and the network performance. In addition, we con-
In [18], the authors used a nearest-neighbor approach to perform sider the spatiotemporal correlation between nodes to distinguish
anomaly detection in the healthcare area. The proposed model between faulty measurements and emergency situations. In fact,
aims to discern between faulty measurements and real degrada- adaptive detection is a potential methodology for real-time detec-
tion of patient’s condition. For this purpose, they used Mahalanobis tion in such dynamic context where the changes in data distri-
Distance (MD) for outlier detection phase and Kernel density for bution may affect the detection accuracy. Furthermore, distributed
abnormality ‘s source identification phase. However, according to processing and data correlation exploitation have proven to be ef-
[17], the nearest neighbor approach has a high computational com- fective to cope with the intrinsic limitations of sensor networks
plexity. and enhance the detection efficiency [18,22,29].
to the dynamic, heterogeneous, and resource-constrained envi-
ronment of WBAN, static and conventional security solutions are
inadequate to meet the application requirements. One promising 3. Distributed anomaly detection based on spatiotemporal
solution is the use of game theory to model interactions between analysis
players and assist them during decision making to enhance the
network performance [24]. By evaluating all possible situations, In this section, we present the proposed framework for spa-
players will receive payoff according to their strategies which tiotemporal analysis from local and global point of view. At first,
can assess the efficacy of an adopted strategy and then help the we discuss the local detection where a statistical method is ap-
system to attain the optimal reward. For example, many studies plied to approximate a model of the normal behavior of the sensor
exploit game theory to improve the security of WSNs. In [25], a node. Whenever a new measurement is registered, each sensor
Stackelberg game has been proposed to deal with the problem node chooses to exploit spatiotemporal correlation based on
of external attacks. In the proposed game, the defender plays the neighborhood information or to use only temporal analysis based
role of a leader and the attacker acts as a follower in order to on its own measurements while applying Exponentially Weighted
protect sensor nodes based on energy defense budget against the Moving Average (EWMA). The local detection is based on the dy-
corresponding energy attack budget. In [26], authors proposed an namic context changes (residual energy, time complexity, detection
evolutionary game to analyze the dynamics of the trust decision accuracy communication complexity and channel state). The sub-
in WSNs. They studied the evolution of trust strategy where set of cooperating nodes is dynamically changing given that each
players select the cooperative strategy based on the payoff model node makes autonomous decision to collaborate with its neighbors
expressed by node’s trust degree. In [27], a stochastic game for or not on the basis of its actual state. Furthermore, the dynamic
adaptive security in WBAN has been proposed in order to ensure cooperation ensures the adaptability of the system performance to
a tradeoff between network performance and security level while the features of the specific scenario. Although collaborative detec-
taking into account the contextual information. tion improves detection accuracy, it comes at the cost of energy
As shown in Table 1, we conduct a comparative study of the consumption. Therefore, a tradeoff between energy efficiency and
different aforementioned outlier detection techniques in terms of detection effectiveness can be perceived as a critical task. Then,
data dimension, the detection mode, the context consideration, the the global anomaly detection is performed in the LPU through
adaptability as well as the data correlation. We observe that cur- multivariate analysis while exploiting the Mahalanobis Distance.
4 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870

Fig 2. Cooperative local anomaly detection.

Fig. 1. Collected physiological parameters.

surements of the attribute p (from the starting instant to the cur-

rent ith) by the sensor j.
As illustrated in Fig 1, we consider a WBAN composed of N on-
 
body sensor nodes (S1 , S2 , . . . , SN ) used to collect physiological pa- ( )
X j,i
p
= x j,1 , x j,2 , . . . x j,i (1)
rameters and transmit their sensed data to the LPU for processing.
For a given instant t, we denote X j = (x j,1 , x j,2 , . . . , x j,q ) the set of An anomaly score of a measurement xj, i represents its devia-
collected measurements, where q is the total number of monitored tion from the mean of the recent past measurements. The sensor
attributes by the sensor j. In the most proposed anomaly detection Anomaly Score (AS) is given by:
models, sensory readings are transmitted to the gateway device at  
 p 
regular time interval T for analysis and classification. However, the x j,i − X j,i−1 
communication energy is 103 to 104 times greater than the pro- AS(x j,i ) = (2)
p
cessing energy [21]. In addition, periodic transmission of normal X j,i −1
measurements may lead to faster energy depletion. In this context,
the main focus of this study is to propose an adaptive and dis- If the AS of the current measurement xj, i is a large value, then
tributed outlier detection in the WBAN, in order to save energy it is significantly larger or smaller than the other measurements.
and avoid useless transmission to the LPU. In order to label the current measurement as an outlier, the AS
should be greater than the standard deviation of the previous mea-
surements by a given factor. The threshold condition for a current
3.1. First level detection: local anomaly detection
measurement xj, i that will be labeled is given as follows:

The main idea of the local anomaly detection is to ensure an AS(x j,i ) > τ ∗ σ j,ip −1 (3)
adaptive and dynamic cooperative strategy that is dependent on
Where σ j,i−1 is the standard deviation of the past data points at
the network status. In fact, we aim to guarantee high detection p

accuracy without affecting the network performance or wasting time i – 1 and τ is a threshold value.
energy for unnecessary transmissions toward the LPU. For this 
i−1
purpose, we implement a multivariate analysis to select the most 1  2
appropriate detection policy under a given context. σ j,ip −1 = (x j,k − X j,ip −1 ) (4)
i−1
The communication between nodes results in a network topol- k=1

ogy graph G (V, E) where V denotes the set of all sensor nodes p
With each new measurement, it is necessary to update X j,i and
and E denotes the set of the communication links. The set of co-
operative nodes is presented as a subgraph G’ (V, E’) where E’ de- σ j,ip .
We adopt a sliding window technique to maintain the histori-
termines the set of the active communication between coopera- cal data online. The time window is a dynamic window of prede-
tive nodes. For instance, Lj, k ∈ E indicates the active cooperation fined size L which governs the size of past measurements consid-
between nodes j and k (presented in Fig 2). In the following, we ered. Thus, every time a new input xj, i is received, the window is
present the adopted techniques for temporal and spatiotemporal updated as the last L online measurements. We use the EWMA to
incrementally update X j,i and σ j,i and they are defined as [21]:
p p
analysis.

3.1.1. Temporal correlation

p
X j,i = α ∗X j,i
p
−1
+ (1 − α )∗x j,i (5)
From the individual point of view, each sensor node activates
the Exponentially Weighted Moving Average (EWMA) model for  
 
temporal analysis in which the current attribute measurement de- σ j,ip = α ∗σ j,ip −1 + (1 − α )∗x j,i − X j,ip −1  (6)
pends on readings at the previous time instants. EWMA is char-
acterized by its low computational complexity, memory efficiency, Where α is the decay weighting parameter that controls the
and fast data update [21,30,31]. Each sensor monitors one or many weight distribution between the new measurement xj, i and the
attributes, e.g. pulse oximeter monitors the pulse and SpO2. Let p
( p) previous mean X j,i−1 .
X j,i denotes the time series associated with the collected mea-
 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870 5

Table 2 normal range then SPO2 is identified as faulty. Furthermore, faults

Correlation between Heart Rate and Blood Pressure.
in motion sensors can be detected on the basis of the maximum
Patient condition Blood Pressure (mmHg) Heart Rate (BPM) relative distance between neighboring nodes. Particularly, the max-
Healthy 120/80 75 imum distance between the left hand and the left shoulder is fixed
Weak Pulse 110/80 95 that the hand cannot be stretched beyond its full length from the
Tachycardia 120/105 130 shoulder. Therefore, it is obvious that there is a fixed relative dis-
Bradycardia 120/60 45 tance between the two joints.
To detect whether a candidate anomaly should be considered
as legitimate which corresponds to a clinical emergency, we adopt
3.1.2. Spatiotemporal correlation a sliding window of length H which maintains only measurements
In order to reduce useless transmission of faulty measurements, that have been identified in the first phase as anomalies. Based
sensor nodes may exploit the spatiotemporal correlation and trans- on the data of the sliding window H, we apply the MD approach
mit only correlated measurements. [18,33–35] to determine and evaluate the similarity between the
Real medical abnormalities correspondent to correlated at- different attributes. Unlike Manhattan distance, Euclidean distance,
tributes in time and space, and faulty readings are usually uncorre- and Hamming distance that do not consider correlation among
lated from other measurements. For instance, as shown in Table 2, observed parameters and suffer from a scaling effect, MD distin-
in cardiac sensing both Electrocardiography (ECG) and hemody- guishes multivariate data groups and reveals the variability impact
namic signals, such as blood pressure has jointly correlated infor- of one parameter on other parameters when their measurements
mation about the heart condition. In situations where the ECG sig- ranges are different [35].
( p)
nal is degraded but the blood pressure is normally in its range. We denote Xi = (xi1 , . . . , xip ) the vector containing the cur-
Then, the ECG sensor can be detected as faulty. When a sensor rent candidate anomalies of the p attributes at the time instant i.
node detects an unusual measurement, it needs neighborhood in- Let X be the n × p matrix which contains the values for these p
formation to determine whether the data is related to an emer- attributes over the last n time steps.
gency situation or a faulty measurement. In fact, the candidate ⎡ ⎤
x11 ··· x1 p
anomaly value observed by temporal analysis indicates that an ab-
normal event occurs when it satisfies a certain similarity degree X = ⎣ ... ..
.
.. ⎦
. (8)
with its neighbor nodes. xn1 ··· xnp
We use an online correlation detection that is based on Pear-
son correlation coefficient as a measure of the linear dependence For each new arrival, the MD distance between the different at-
between two variables Xj and Xk . A low correlation would be |ρ j, k | tributes in the sliding window is calculated as follows [33]:
< 0.25, a high correlation means |ρ j, k | > 0.75. For a given sample

T
of size n for both Xj and Xk , the correlation coefficient ρ j, k can be M Di = (Xi( p) − μ ) S−1 (Xi( p) − μ ) (9)
expressed as [32]:
Where μ = (μ1 , μ2 , . . . , μ p )T is the mean vector of candidate
  n
(x j,i − X j ) ∗ (xk,i − Xk ) anomalies; μq is the average of the n candidate values of attribute
ρ j,k = corr X j , Xk = i=1
(7)
σ j ∗ σk q and S is the covariance matrix(p × p) of these p attributes:

1
n
The correlations coefficients between local sensors on the basis
of neighborhood information point out how well they are corre-
μq = xiq (10)
n
i=1
lated and therefore how much obtained information can enhance
the local detection accuracy and reduce false positive rate. 1 
i
We refer to the neighborhood of sensor node j as N(j). Sen- Sqq = (xmq − μq ) ∗ (xmq − μq ) (11)
n−1
sor modalities are referred to the subscript indexes p and q. Then, m=1
measurement time-series data of node j for attribute p are denoted A large value of MDi indicates how much the attributes deviate
p
by X j,i . For the neighborhood measurement time-series of node k from each other. It follows a chi-square distribution with p degrees
q 
∈ N(j) for the attribute q are referred to as Xk,i . The correlation of freedom and the X p,
2 is used as a threshold for alarm de-
0975
coefficients ρ j, k are calculated for each pair Xj and Xk of measure-
cision. Therefore, the anomaly detection function is given by:
ment time-series from each sensor local attributes (cor r (x0j , x1j ))  
and neighborhood modalities (cor r (x0j , x1k )). 1 i f M Di ≥ X p,
2
Ai = 0975 (12)
0 otherwise
3.2. Second level detection: global anomaly detection
When only one attribute is detected as abnormal, the measure-
As illustrated in the previous section, in the first step, anomaly ment is considered faulty, and the LPU raises an alert to the faulty
detection is performed locally on each sensor node. As a second detected sensor. However, if at least k attributes (k ≥ 2) are anoma-
phase, the LPU handles the multivariate analysis through multi- lous, the LPU triggers an alarm for caregivers to react. For example,
sensor fusion. It has a global view of the gathered data and can as mentioned above, heavy changes in the HR and reduced rate of
exploit the local detection of sensor nodes to distinguish between SpO2 are symptoms of patient health degradation and require im-
the emergency situations and faulty measurements, and thus im- mediate medical intervention.
proves the detection accuracy. The aggregator learns how to deal
with the decision results being provided by the sensor nodes and 4. Stochastic game formulation
reach a consensus by fusing various local decisions.
At each detection round, the aggregator receives candidate In this section, we formulate a stochastic game wherein each
anomalies from the different sensors and classifies them either sensor node seeks to choose the adequate anomaly detection
faulty or related to a real medical condition. For example, in the policy that ensures an optimal trade-off between the detection
case where the ECG readings and blood pressure measurements effectiveness and the energy efficiency. The game environment
are well within range, however, SPO2 readings deviate from the is defined through a state space over which the players interact.
6 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870

Fig 4. Adaptive cooperative decision for local anomaly detection based on context
changes.
Fig 3. Stochastic game model and adaptive decision.

memory capacity, time complexity, and fault model to design the

Each state may change randomly or deterministically based on the context dynamics of smart things.
dynamicity of the environment under observation and the consid- From local point of view, as shown in Fig 4, the proposed
eration of the previous states. Given that continuous monitoring anomaly detection framework consists of an anomaly detection
will deplete the energy resources of sensor nodes, conditional phase and neighborhood selection phase. In the first phase, each
cooperation between them seems efficient. Formally speaking, the sensor node makes the decision to collaborate with its neighbors
game can be modeled as G(S, Aj , Uj , P) where S is the discrete and apply spatiotemporal correlation or use only the temporal cor-
state space that is defined through two modes: connected and relation. The second phase is performed after each observation and
disconnected mode; Aj is the action space of the player j that sensing of the dynamic context. It aims to determine the best set
decides to cooperate with its neighbors and exploit the spatial- of cooperating nodes and thus the best detection policy that en-
temporal correlation or apply temporal correlation while using its sures an optimal tradeoff between energy efficiency and detection
own measurements; Uj is the utility function corresponding to the accuracy.
player j and P is the transition probability map between the above
two states. In the following, we first define the dynamic context 4.1.1. On-body communication channel
where a smart thing operates and makes the adequate decision The adjacency between sensor nodes, their limited resources
to cooperate or not with its neighbors. Then, the different policies capabilities, and the channel variation are complex and unpre-
that can be adopted by the sensor node (player j) are identified dictable due to the body shadowing and the multipath fading ef-
and the Nash equilibrium is studied. fects [36]. Hence, the choice of the detection policy should take
Fig 3 shows the adaptive cooperative decision made by the into account these random channel fluctuations and unreliability
node 1 after the context sensing. Initially (t = 0), the node applies issues. We assume that statistical Channel State Information (CSI)
only the temporal correlation and sends its local observation to the knowledge for the radio channel is available for the transmitters.
LPU. Such decision corresponds to the lowest communication and Therefore, the proper calculation of the received signal-to-noise-
time complexity cost and the worst case for detection accuracy. plus-interference ratio (SINR) from an on-body sensor node j ∈ N
When the adaptive decision is made (t = T), node 1 observes its as measured at another on-body node k requires the knowledge of
context and evaluates the different parameters that can affect its all the signals which are currently and concurrently being received
decision about collaboration. This configuration relies on a coop- at the receiver k. At any instant t, the current SINR value can be
eration between node 1 and node 2 leading to a better detection given as follows [37]:
accuracy.  
PjT X LP d jk
SINRtj = (13)
Nk + u=i, j α ju PuT X LP (duk )
4.1. Context-aware neighbors selection
Where PjT X is the transmission power of the transmitter node j; N
is the power of the noise at the receiver node k; α ju is the rejec-
In order to provide a real-time anomaly detection with a high
tion factor between the channels associated with the nodes j and
detection accuracy while taking into account the limited resources
k; PuT X is the transmission power of the interfering node k; LP (d) is
of smart things, we propose a dynamic and adaptive decision-
the path loss of the wireless channel between two nodes and it is
making for local outlier detection based the scenario and the net-
given by Slawomir et al. [38]:
work dynamics. In this context, we present the WBAN challenging
environment through the communication channel, battery lifetime, L P ( d ) = L p ( d ) + N ( μ, σ ) (14)
 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870 7

Where L p (d ) is the mean path loss of the channel, N (μ, σ ) a log state, Q is the memory state, T is the time complexity, F is the
normal distribution with mean μ and standard deviation σ which probability of classification error. By construction, this context is
models the fading amplitude of the channel in dB. dynamic and reveals the interaction between the conflicting objec-
tives that should be considered during the detection process.
4.1.2. Energy model
To balance energy consumption between sensor nodes during 4.2. Adaptive outlier detection strategies
the detection process, we consider residual energy in modeling the
energy consumption of each node. The battery depletion process is As faulty measurements affect severely the credibility of di-
represented as follows [39]: agnosis results and reliability is extremely important to guaran-
tee a high accuracy, we propose an adaptive outlier detection ap-
E j = E0, j − Econ, j (15) proach to determine the best cooperative set of nodes and thus
Where E0, j is the initial battery state and Econ, j is the energy con- the optimal trade-off among classification accuracy and energy
sumed by the node j. efficiency.
The main purpose of our proposed model is that a smart thing
4.1.3. Memory capacity should detect locally anomalies on time with a high level of accu-
The queue size of the nodes is considered for the decision racy and low false alarm rate. Obviously, this considerably maxi-
making because the queuing delay has a significant impact on mizes the detection rate and improves the quality of care. Never-
the end-to-end delay. Therefore, the communication between two theless, it may exhaust the network resources and specifically, the
neighbors can be done only when the receiver sensor has enough battery lifetime. In this context, we present different adaptive poli-
storage space to store the packet from the transmitter node. The cies to define adaptive detection process while taking into account
change in buffer occupancy of node j can be modeled regarding the dynamic environment changes identified in the previous sub-
traffic variation as [40]: section. We suppose that a smart thing state depends on its ob-
servation of the current context and the previous state, it can be
NQj in connected mode or in the disconnected mode. In the connected
Qj = (16)
NTj mode, it systematically cooperates with its neighbors and exploits
the spatial-temporal correlation while in the disconnected mode it
j j
where NQ represents the number of packets in the queue and NT is uses only its own measurements. The adaptive detection policy is
the total buffer size at node j. defined by the transition probabilities between these two states.
Specifically, when the communication channel state is c, the cur-
4.1.4. Time complexity model rent energy state is Ej , the queue state is q, the time complexity is
Given that the anomaly detection should be on real-time and tc and the probability of fault is pf, the transition probabilities can
any late detection may threaten the life of the monitored patient, be computed as follows:
we take into account the time complexity that is expressed as the  
sum of the aggregation and the transmission delays. It can be com-
Pc→d c, E j , q, tc, p f = P (P (t ) = disconnected|P (t −1 ) = connected )
puted as follows [41]:  
Pd→c c, E j , q, tc, p f = P (P (t ) = connected|P (t −1 ) = disconnected )
D( j ) = D agg
( j) + D tran
( j) (17)
In the following, we define different adaptive strategies that
should be considered for making a decision [45,46] based on the
Dagg ( j ) = |CN ( j )| (18) context model presented in the previous section.
Where |CN(j)| is the cardinality of cooperative neighbors of node j. 1. Adapting to communication channel: when the SINR is below a
threshold, γ , the channel state is degraded and communication be-
Lb j tween neighbors becomes more expensive. Consequently, the body
Dtran ( j ) = (19) sensor node prioritizes the temporal correlation defense policy. On
R
the other hand, when the SINR exceeds a critical threshold, γ̄ , the
Where Lbj and R are the packet length (in bits) and data transmis-
link is of high quality and the node may collaborate with its neigh-
sion rate, respectively.
bors by switching on connected mode.

4.1.5. Fault model   ε1 i f γ ≤ γ
Pc→d c, E j , q, tc, p f =
In each time slot, the body sensor node is in a certain context 1 − ε1 otherwise
that influences its state. Thus, previous anomaly results should be 
included in the decision-making process. We use the Bayesian be-   ε2 i f γ ≥ γ̄
Pd→c c, E j , q, tc, p f =
lief concept [42–44]. Let Atr be the anomaly result in the last time 1 − ε2 otherwise
slot, as (t) be the action related to the cooperative decision adopted
by the smart thing at the current time slot and p(F |as (t ), Atr ) be 2. Adapting to energy: the sensor node state turns to discon-
the posterior belief meaning the probability of a body sensor being nected mode if the energy state is below a threshold E0 and
faulty at the end of the tth time slot. It can be given as follows: adopts cooperation between its neighbors if the energy level
  is greater than E0 .
  p F |Atr ∗ p(as (t )|F , Atr ) 
p F |as (t ), Atr = (20)   1 i f E j /B ≤ E0
o∈{F,E } p(o|Atr ) ∗ p(as (t )|o, Atr ) Pc→d c, E j , q, tc, p f =
0 otherwise
Where o ∈ {Faulty, Event}, p(o|Atr ) and p(as (t )|o, Atr ) denote the 
previous detection result, the prior belief held by the body sensor   1 i f E j /B ≥ E0
Pd→c c, E j , M, D, F =
node and the probability of a body sensor selecting action as (t), 0 otherwise
respectively.
Based on the parameters mentioned above, we define the con- 3. Adapting to memory capacity: given that the energy deple-
text as χ = {C, E, Q, T, F}, where C represents the state of the com- tion is highly related to the number of the transmitted packets
munication channel between sensor nodes, E is the current energy np, the node decides whether to cooperate or not based on the
8 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870

occupancy status of the queue. If the number of packets exceeds and avoiding useless transmission to the LPU (at the risk of de-
the queue capacity, Q j , the relay node chooses not to cooperate pleting the battery) or forwarding all abnormal measurements de-
and exploits only time dependency among its local measurements. tected on the basis of the temporal correlation (at the risk of rais-
Otherwise, spatial dependency among measurements gathered by ing false alerts). In each stage, the player randomly executes each
different nodes is adopted with probability ɛ4 . strategy that is selected with an associated probability which is de-
 fined by the vector ε = (ε 1 , ε 2 , ε 3 , ε 4 , ε 5 , ε 6 ). Adjusting different
  ε3 i f np ≥ Q j
Pc→d c, E j , q, tc, p f = probabilities leads to an optimal trade-off between the different
1 − ε3 otherwise requirements.

  ε4 i f np ≤ Q j
Pd→c c, E j , q, tc, p f = 4.4. Nash equilibrium
1 − ε4 otherwise

4. Adapting to time complexity: For each body sensor node, the Based on the current state, each sensor node j takes the conve-
average detection delay is required to be lower than an upper nient action aj ∈ Aj that maximizes its global utility function given
bound, denoted by δ . This delay constraint allows the sensor nodes the joint strategy choice of all the other sensors a− j = {ak } ∀ k = j.
to specify the maximum tolerable latency on real-time detec- The multi-objective optimization problem is given by:
tion requirements. In addition, it indicates the maximum num-
   
U s, a j , a− j = max(1 − (Pe ) ). Ppdrop (22)
ber of cooperative nodes that can be accepted by a relaying ε
node. Given the strategies of all the other nodes, each node aims to

  1 i f D( j ) > δ adopt a strategy that maximizes its detection accuracy while con-
Pc→d c, E j , q, tc, p f = sidering its energy cost. This policy is defined as the best response
0 otherwise
and expressed as follows.

  1 i f D( j ) ≤ δ
Pd→c c, E j , q, tc, p f = Definition 1 (Best Response). The best response for the player j is
0 otherwise an optimal action a∗j ∈ A j that verifies U j (s, a∗j , a− j ) ≥ U j (s, a j , a− j )
5. Adapting to fault model: based on the historical anomaly re- given the joint adopted action by the other nodes.
sult, the relay node can evaluate the probability of being faulty in Based on the sensing and observation of its environment, the
the next stage and decides to cooperate with its neighbors while body sensor node learns the optimal detection strategy according
considering the anomaly score. We define a high threshold τ̄ of to the current state of the network and thus, find its best response
anomaly score and a low threshold τ . given its current knowledge of the WBAN status.
  
  ε5 i f p F |as (t ), Atr ≤ τ In order to attain a stable convergence state, all the players
Pc→d c, E j , q, tc, p f = have to achieve a common consensus, namely a Nash Equilibrium.
1 − ε5 otherwise
This optimal state defines a stable point where no player has the
  
  ε6 i f p F |as (t ), Atr ≥ τ̄ incentive to deviate from. This means that no player can further
Pd→c c, E j , q, tc, p f = enhance its payoff by unilaterally changing its strategy. The ex-
1 − ε6 otherwise
istence of the Nash equilibrium for our game is justified by the
fact that the aforementioned optimization problem is defined on a
4.3. Payoff functions
compact. An optimal policy ( ∗ , ∗ ) is identified as a Nash equi-
librium if the player will not deviate from its outcome as it will not
In our system, the interaction between the sensor nodes is
achieve a greater payoff with any other strategy. This equilibrium
modeled as a network graph G (V, E). The objective is to find
is defined by the computation of the probabilities Pe that repre-
the desired communication links between sensor nodes to en-
sents the difference between the actual measured value and the
sure a high detection rate. Each sensor node can evaluate the
predicted one and the probability of dropping Ppdrop given as fol-
fitness of the temporal correlation or the spatiotemporal corre-
lows.
lation decision. In order to find the best decision to be taken,  
we use a multidimensional cost function that considers the prob- Pe = Xmeas − X pred  (23)
ability of misclassification in terms of the prediction error and
We denote by A = (aj, k ) transition matrix that represents the
the probability of dropping due to energy depletion. We con-
transition probabilities between the previous state where j nodes
sider a defense function, denoted by , which returns the accu-
are connected and the current state where k nodes are connected
racy of the detection policy in reducing the false alarms, and a
cost function that represents the impact of the adopted strat-   
egy on the battery lifetime of the sensor node. We use the sig- Ppdrop = π , E j , q, tc, p f (24)
j
moid function to define the utility functions of the sensor node as
follows: Where π is the steady state probability matrix, obtained through
 −1 the resolution of the equations π .A = π and π .1 = 1, where 1 is a
(Pe ) = 1 + e−ge .(Pe −he )
   −1 matrix of ones.
Ppdrop = 1 − 1 + e −g pdrop . (Ppdrop −h pdrop ) (21)
4.5. Adaptive outlier detection algorithm
Where Pe and Ppdrop are the probabilities of misclassification and
packet dropping, ge and gpdrop determine the sensitivity of the util- In order to perform anomaly detection, a lightweight algo-
ity functions, he and hpdrop represent the inflection points. rithm is implemented in a distributed fashion that has less com-
The prediction error evaluates the performance of the detection putational complexity and higher scalability than the centralized
policy in terms of detection rate and false alarms. Packet dropping model.
is related to energy depletion when the smart thing switches to As a first step, each sensor node takes its most recent read-
the disconnected mode to save energy. The utility function pre- ings in the sliding window and applies the temporal correlation
sented above aims to balance between providing a low false alarm strategy. Then it determines the probability of misclassification, the
 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870 9

posterior belief as well as the network status. Based on these pa- Algorithm 1 Adaptive and distributed anomaly detection.
rameters, each sensor node j ∈ N takes the appropriate action and
Inputs: j node ID, L the sliding window, CN the current cooperative nodes,
the set of cooperating nodes to which j can connect and exchange
network state S, channel state c, the current energy state E, the queue state
its measurements. As a second phase, sensor nodes play an itera- q, the time complexity tc
tive detection game randomly. In every iteration, each sensor node Output: optimal detection decision
j ∈ N interacts with its cooperating node list CN on the basis of the //Initialization
current network state Sj , the detection accuracy expressed in terms t: =0
1. For each node j do
of the prediction error as well the communication cost and thus, it
2. atj ← Temporal correlation
identifies the convenience of the possible actions (temporal corre- 3. End
lation/spatiotemporal correlation) and executes the best response //Anomaly detection Actions
by replacing its current active link to a more convenient link. As 4. For each node j do
mentioned in lines 17 and 18, the sensor node has to select its ac- {
5. For every sliding window L do
tion atj after getting the contextual information (line 16) and then
6. { Compute local measurement Xj
computes its payoff function defined by Eq. (22). For every transi- 7. Compute the anomaly score AS (Xj )
tion from a state Stj to St+1
j
, ∃ a set of cooperative nodes such that 8. Exchange last reading with CN
9. Compute Pearson correlation ρ (Xj , Xk )
U t+1
j
> U tj . Based on this statement and given that the set of coop- 10. Compute the prediction error Pej
erating nodes is a finite number, the proposed algorithm converges 11. Get the network status Sj t }
to an equilibrium after a finite number of iterations, such that U∗ }
> U where U includes all the previous utilities for different sets of 12. Return AS, Pej , Ppdrop j
, Sj t
//Learning
cooperative nodes. Therefore, the game can reach a Nash equilib-
13. Repeat
rium. As indicated above, by Eqs. (23) and (24), each sensor node {
needs to assess the prediction error and the probability of packet 14. For each node j do
dropping due to energy depletion in order to make the appropri- 15. { Compute the posterior belief PFj
ate decision. Finally, we should notify that in each detection stage, 16. After observing the network state Sj t (c, E, q, tc)
17. Select an action atj from anomaly detection actions
when a sensor node decides to cooperate or not with its neighbors,
18. Compute payoff function U (S j t , a j t , a− j t )for node j
it must update its belief about the last classification, the residual 19. }
energy, the memory capacity and the end-to-end delay, given that 20. If node detected faulty
the cooperation can increase the detection delay. Moreover, when 21. {Send alerts to sensor
a node chooses to cooperate with its neighbor, a message should 22. Else
23. Raised alarms to caregivers}
be sent to that node to update its own collaborative list. 24. Update CN after players take their actions
25. Update optimal action atj
t ←t +1
4.6. Complexity analysis of the proposed adaptive outlier detection }
approach 26. Until convergence to an equilibrium
(U (S j t , a j t , a− j t ) = U (S j t+1 , a j t+1 , a− j t+1 ))
The main focus of this study is to provide adaptive anomaly
detection according to device capabilities and network status. In
order to prove the efficiency and the fitness of the proposed ap- of the exchanged messages is 2|CN| which has a communication
proach, we conduct a complexity analysis from computational and complexity of O(|CN|).
communication perspectives. Specifically, the communication com-
plexity for each sensor node corresponds to the number of ex- 5. Experimental results
changed messages between nodes as well as between the sensor
node and the LPU. In this section, we conduct experiments of the proposed
The computational complexity of the proposed algorithm is as- approach for anomaly detection in PhysioNet database (MIMIC
sociated with the outlier detection process and the best strategy Database) that provides real medical data. The adopted clinical
selection. In fact, the computational requirements to determine the database contains comprehensive clinical data collected from var-
candidate anomalies by exploiting the temporal correlation strat- ious Intensive Care Units (ICUs) (medical, surgical, coronary care,
egy are linear due to the incremental nature of calculating EWMA. and neonatal) in a teaching hospital [47]. This database involves
For the spatiotemporal correlation, the complexity is related to the over 90 patient records, and it is used to develop and evaluate
number of connected nodes and has a time complexity of O(|CN|). recent proposed patient monitoring systems. The average length
Furthermore, the computational complexity of the best response of these records is 40 h. The set of physiological attributes in
selection has a time complexity of O(|S|) where S is the set of each record depends on the patient’s clinical condition and it may
strategies. In addition, the complexity of the number of iterations include: systolic Arterial Blood Pressure (ABPsys), diastolic Arte-
needed to achieve convergence is upper bounded by the set of rial Blood Pressure(ABPdias), mean Arterial Blood Pressure (ABP-
cooperating nodes. The algorithm converges rapidly given that a mean), Pulmonary Artery Pressure (PAP), Temperature, Oxygen Sat-
sensor node does not require the cooperation with every neighbor uration(SPO2), Respiration Rate (RESP), Electromyography (EMG),
before observing the dynamic context changes and identifying its Electroencephalogram (EEG), Heart Rate (HR), and Pulse.
best response. Sensor data anomaly is determined using a distributed anomaly
For each sensor node, the communication cost corresponds to detection approach. At first, each sensor node decides to use tem-
the exchanged and transmitted messages between the communi- poral correlation while applying EWMA model or to cooperate
cating parties. Particularly, a sensor node has to share the readings with its neighbors and perform spatiotemporal analysis. Then, the
with the set of cooperating nodes. This phase needs a total amount local detection result is forwarded to the LPU which executes a
of |CN| exchanged messages between the cooperative neighbors. global anomaly detection based on MD to check the number of
In addition, the sensor node has to communicate the belief status deviated attributes. As physiological parameters are correlated, real
about the class label for its measurements to the set of connected emergency situations induce at least k attributes (k ≥ 2), and faulty
nodes, which involves |CN| messages. Therefore, the total number measurements are usually uncorrelated with other measurements.
10 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870

Fig 5. HR.

Fig 6. BP.

In the following, we define our simulation environment and the

different parameters used in our experiments. We further compare
and evaluate the performance of the proposed approach with, Lin-
ear SVM [12], J48 [11], and centralized approach where all mea-
surements are transmitted to the LPU that applies the MD for
anomaly detection. Then, we assess the efficiency of the adaptive
anomaly detection while evaluating the different policies adopted
for local anomaly detection under the dynamic context. Our main
purpose is to find the best policy that provides an optimal consen-
sus between energy efficiency and detection accuracy.

5.1. Simulation environment and setup

We consider a WBAN composed of ten on-body sensor nodes

measuring different attributes such as Blood Pressure (BP), Tem-
perature, Oxygen Saturation(SPO2), Respiration Rate (RESP), Elec-
tromyography (EMG), Electroencephalogram (EEG), Heart Rate
(HR), Pulse, C.O, etc. However, in our experiments, we use only 5
physiological parameters, namely RESP, HR, SPO2, BP, and PULSE. Fig 7. PULSE.
Specifically, we focus on the physiological data of the subject 221,
a female of 68 years diagnosed with brain injury. The monitoring
duration lasts for 23.7 h. We use a sliding window of width L =
10 min in order to reduce the computation complexity and the
memory requirement.
We use the IEEE 802.15.6 specifications which allow the com-
munication between sensors, and a packet size of 1024 bits. We as-
sume a communication model with different link quality, where a
bit error rate (BER) is assigned to indicate excellent (PRR: 0.99) and
bad (PRR: 0.5) link quality. The channel model involves the node
transmission power (−10 dBm), receiver sensitivity (−84.7 dBm),
noise floor (−102 dBm), an additive white Gaussian noise (AWGN)
of mean zero and σ = 6.81 dBm as well as the path loss exponent
(3.6) [48]. The path loss model is defined by a path loss at ref-
erence distance PL (dref ) = 23.49 dB, an average deviation σ dB =
2.93 and reference distance dref = 0.5 cm [49]. We assume that the
battery capacity is 0.5 J.
For the clarity of representation of the used physiological at- Fig 8. RESP.
tributes, we start by presenting the variations of each attribute.
Specifically, we focus only on the part of the physiological param-
eters where it cannot easily differentiate between faulty measure- crease to zero in different time intervals. However, their normal
ments and real emergency situations. The variations of the HR are values are inside the intervals [90–140] and [60–100], respectively.
presented in Fig 5, where the ideal values of a healthy adult in These simultaneous variations are explained by the fact that HR,
rest fall inside [60–100]. By visually inspecting the variation of the BP, and PULSE are correlated. Furthermore, in Figs. 8 and 9, we can
HR, we can identify some spikes where abnormal values can fall identify some simultaneous variations in SPO2 and RESP. For the
to zero and others that exceed 100 bpm (beat per minute). At the respiration rate, we can see four zones of abnormal change reach-
same time, as presented in Figs. 6 and 7, we can visually iden- ing zero. In addition, measured values of SPO2, which should be
tify abnormal variations of BP and PULSE measurements which de- in [95−100], fall down to zero and thus indicate that the patient
 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870 11

Fig 9. SPO2. Fig 11. Raised alarms based on temporal correlation.

Fig 12. Raised alarms based on spatiotemporal correlation.

Fig 10. Supperposed attributes.

we compare our approach with several existing algorithms, such as

is in a real clinical situation (asphyxia, lack of oxygen, and heart SVM, J48, and centralized approach.
disease).
To show the correlation between the physiological parameters, 5.2.1. Comparison results
we present the variations of the 5 considered attributes in Fig 10. Unlike the traditional anomaly detection approaches where all
We can notice that a clinical emergency situation is correspond- the sensed data is transmitted to the LPU for analysis and de-
ing to simultaneous changes in many attributes. However, there is tection, in our approach, each sensor node exploits its own mea-
no correlation between the physiological attributes for faulty mea- surements or its neighborhood information and transmits only ab-
surements. We can distinguish 2 zones of correlated attributes, normal readings to the LPU that performs global detection. Fig 11
where almost all physiological attributes change and a real clini- shows the variations of the 5 attributes with the raised alarms af-
cal situation occurs. In addition, we can identify 1 abnormal mea- ter correlation analysis. There are 4 raised alarms when each sen-
surement transmitted by the BP where its value decreases to zero sor node applies the EWMA technique and transmits only abnor-
without significant changes in other attributes. This case presents mal readings to the LPU which executes the MD distance to dis-
a faulty measurement transmitted by the BP sensor. tinguish between faulty measurements and emergency situation.
Nevertheless, when the spatiotemporal correlation is activated, the
false alarms are discarded and only two medical alarms are raised
5.2. Performance analysis
to the caregivers (presented in Fig 12). Therefore, spatiotemporal
analysis improves the detection accuracy.
In the following, we evaluate the performance of our global sys-
To analyze the performance of the proposed approach, we use
tem in terms of detection accuracy in two cases. In the first case,
the Receiver Operating Characteristic (ROC) to determine the im-
each sensor node adopts only the temporal correlation for local
pact of the proposed approach on the detection rate (25) and the
anomaly detection and then it transmits the abnormal values to
false positive rate (26).
the LPU that uses the MD for global detection. However, in the
second case, we apply the spatiotemporal correlation and sensor TP
DR = (25)
nodes send only the correlated anomalies to the aggregator. Then, TP + FN
12 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870

Fig 13. Receiver Operating Characteristic (ROC).

Where TP is the number of true Positives and FP presents the false

positives. The false positive rate is defined as:
FP
F PR = (26)
FP + TN
Fig 13 presents the ROC of the proposed approach and the
other benchmarking approaches. It shows that the proposed ap-
proach, when a spatiotemporal correlation is applied by sensor
nodes, achieves a detection rate of 100% with a FPR of 1.4%. We
found that the performance of the SVM and J48 techniques can
reach 100% DR at the cost of higher FPR values of 22% and 35% re-
spectively. Finally, the centralized approach achieves 100% DR with
a FPR of 42%. Therefore, the proposed distributed approach outper-
forms other comparative techniques and provides effective sensor
anomaly detection.
We should notice that the classification algorithms SVM and
J48, need labeled training data set to provide an accurate classifi-
cation model. The training data are labeled as either normal or ab-
normal. However, labeled training data are often skewed or even
unavailable. Skewed labeled data occurs when one class is over-
represented which leads to a poor minority class recognition per-
formance. Creating a labeled training dataset is often an expen-
sive task that requires several experiments to define suitable pre-
processing and balancing algorithms.

5.2.2. Impact of adaptive decision on network performance

In the following, we study the impact of the adaptive local
anomaly detection on the network performance in order to find
the best adaptive strategy that ensures an optimal tradeoff be-
tween energy efficiency and detection accuracy. We focus on two
performance metrics: communication cost and detection accuracy

• Communication cost is defined as the number of required mes-

sages for the adopted detection policy
• Detection accuracy is defined as the percentage of correctly clas-
Fig 14. Performance evaluation of the different strategies.
sified sensor’s measurements.

In order to ensure a high detection accuracy with a low energy node adopts different strategies on the basis of the dynamic con-
consumption, it seems necessary to balance between energy effi- text changes for the case where ε 1 = ε 2 =ε 3 =ε 4 =ε 5 =ε 6 =0.5.
ciency and detection effectiveness. For this purpose, we evaluate Fig 14 compares the different strategies and shows that adapt-
the performance of the adaptive policies in terms of WBAN life- ing to time complexity, channel state, and memory achieve an ac-
time and the prediction error. We study how the energy consump- ceptable tradeoff between communication cost and detection ac-
tion and the detection accuracy functions are affected when a relay curacy which can reach 98%. Therefore, making a decision based
 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870 13

approaches for anomaly detection such SVM and J48 as well as

non-adaptive methods where each sensor node makes a static
decision (temporal correlation or spatiotemporal dependencies)
without considering the dynamic WBAN environment.
In order to ensure a tradeoff between the detection accuracy
and the energy consumption, a sensor node performs adaptive co-
operative anomaly detection while considering the communica-
tion channel conditions, the resources availability, and the aggre-
gation delay. However, several other contextual parameters may
impact the compromise between the detection accuracy and the
energy efficiency such as the number of the considered observa-
tions and the size of the sliding window. In fact, a larger sliding-
window width and a larger number of observations can have bet-
ter anomaly detection accuracy at the expense of energy effi-
ciency. In addition, the trustworthiness of the cooperative nodes
is an essential requirement to improve anomaly detection accu-
racy. In this context, as future direction, we intend to incorporate
a trust management model where a sensor node decides to co-
operate with its neighbors or not on the basis of their reputation
and we will study the impact of this mechanism on the network
Fig 15. Convergence of the proposed Algorithm to an equilibrium. performance.

Declaration of Competing Interest

on these parameters provide more convenient results for both
detection effectiveness and network lifetime which can be ex- None.
tended up to 46% for adapting to channel state strategy. How-
ever, the adapting to fault model policy exploits permanently spa- CRediT authorship contribution statement
tiotemporal correlation among readings. Therefore, it corresponds
to the best classification accuracy but the highest communica- Amel Arfaoui: Conceptualization, Formal analysis, Writing -
tion complexity. From energy consumption perspective, each sen- original draft, Writing - review & editing. Ali Kribeche: Su-
sor chooses to exploit only temporal dependencies. The adopted pervision, Validation, Visualization, Writing - review & edit-
policy provides the best result in terms of energy consump- ing. Sidi Mohammed Senouci: Conceptualization, Project admin-
tion given that no communication between nodes is needed and istration, Validation, Visualization, Writing - review & editing.
anomalies can be detected quickly. It can correctly classifies 94% Mohamed Hamdi: Methodology, Validation, Writing - review &
of the measurements. Hence, we can conclude that the payoffs editing.
achieved by adapting to energy and fault model strategies are un-
References
fair because they take into account only one aspect. Thus, smart
things should consider different requirements in order to dynam- [1] S.M. Aziz, D.M. Pham, Energy efficient image transmission in wireless multi-
ically change their cooperative strategies and achieve the desired media sensor networks, IEEE Commun. Lett. 17 (2013) 1084–1087, doi:10.1109/
payoff. The best choice is to adopt the strategy that ensures a LCOMM.2013.050313.121933.
[2] D.M. Pham, S.M. Aziz, Object extraction scheme and protocol for energy effi-
well-balanced trade-off between detection accuracy and WBAN cient image communication over wireless sensor networks, Comput. Netw. 57
lifetime. (2013) 2949–2960, doi:10.1016/j.comnet.2013.07.001.
Fig 15 presents the convergence of the global utility to a sta- [3] Z. Pang, Technologies and Architectures of the Internet-of-Things (IoT) for
Health and Well-Being, Dept. Electron. Comput. Syst, KTH-Roy. Inst. Technol,
ble state and optimal value after around 2.5 × 10^4 iterations. This
Stockholm, Sweden, 2013 M.S. thesis.
utility is computed while adopting a hybrid adaptive strategy that [4] Y. Zhang, N. Meratnia, P.J.M. Havinga, Outlier detection techniques for wireless
considers the fault model, the energy consumption and the chan- sensor networks: a survey, IEEE Commun. Surv. Tutor. 12 (2) (2010) 159–170.
nel state to select the optimal anomaly detection policy. [5] G. Fortino, G. Di Fatta, M. Pathan, A.V. Vasilakos, Cloud-assisted body area net-
works: state-of-the-art and future challenges, Wireless Netw. 20 (7) (2014)
1925–1938.
6. Conclusion and future directions [6] J. Ko, J.H. Lim, Y. Chen, R. Musvaloiu-E, A. Terzis, G.M. Masson, T. Gao,
W. Destler, L. Selavo, R.P. Dutton, MEDiSN: medical emergency detection in
sensor networks, ACM Trans. Embedded Comput. Syst. 10 (1) (2010) 1–29.
In this paper, we addressed the adaptive anomaly detection [7] O. Chipara, C. Lu, T.C. Bailey, G.-.C. Roman, Reliable clinical monitoring using
problem in a constrained WBAN. A distributed two-level detection wireless sensor networks: experiences in a stepdown hospital unit, in: Pro-
ceedings of the 8th ACM Conference on Embedded Networked Sensor Systems
approach is proposed and a fusion algorithm is used to provide (SenSys’10, 2010, pp. 155–168.
a high accuracy, low false alarm, and low energy consumption. [8] M. Won, S.M. George, R. Stoleru, Towards robustness and energy efficiency of
The first level is performed locally at sensor nodes. For the local cut detection in wireless sensor networks, Ad Hoc Netw. 9 (3) (2011) 249–264.
[9] P. Kar, S. Misra, Reliable and efficient data acquisition in wireless sensor net-
detection, we developed a game-theoretic model between sensor works in the presence of trans faulty nodes, IEEE Trans. Netw. Serv. Manag. 13
nodes where each smart thing makes a decision to cooperate with (1) (2016) 99–112.
its neighbors or uses only its own measurements dynamically [10] Y. Z.hang, N. M.eratnia, P.J.M. Havinga, Outlierdetectiontechniques for wireless
sensor networks: a survey„ IEEE Commun. Surv. Tutor. 12 (2) (2010) 159–170.
on the basis of its environment observation. The second level is
[11] O. Salem, A. Guerassimov, A. Mehaoua, A. Marcus, B. Furht, Sensor fault and
performed in the LPU by applying the MD to check the decision patient anomaly detection and classification in medical wireless sensor net-
made in the first level. Then, we evaluated the global system per- works, in: Proceedings of the IEEE International Conference on Communica-
tions (ICC), Budapest, Hungary, 2013, pp. 4373–4378.
formance as well as the different adaptive strategies. We proved
[12] O. Salem, A. Guerassimov, A. Mehaoua, A. Marcus, B. Furht, Anomaly detection
the efficiency of the proposed approach in terms of communica- in medical wireless sensor networks using SVM and linear regression models,
tion cost and detection accuracy where each sensor node adapts Int. J. E-Health Med. Commun. (2014).
its behavior depending on different dynamics of the context, thus [13] O. Salem, Y. Liu, A. Mehaoua, R. Boutaba, Online anomaly detection in wireless
body area networks for reliable healthcare monitoring, IEEE J. Biomed. Health
providing significant reduction in energy consumption at the cost Informat. 18 (5) (2014) 1541–1551, doi:10.1109/jbhi.2014.2312214.
of a small decrease in classification accuracy comparing to existing
14 A. Arfaoui, A. Kribeche and S.M. Senouci et al. / Computer Networks 163 (2019) 106870

[14] O. Salem, Y. Liu, A. Mehaoua, A lightweight anomaly detection framework for [45] M. Hamdi, H. Abie, Game-Based adaptive security in the internet of things for
medical wireless sensor networks, in: Proceedings of the IEEE Wireless Com- eHealth, in: Proceedings of the IEEE International Conference on Communica-
munications Network Conference, 2013, pp. 4358–4363. tions, 2014.
[15] N. Shahid., I. Naqvi, S.B. Qaisar, Quarter-Sphere SVM. Attribute and spatio-tem- [46] A. Sfar, E. Natalizio, Y. Challal, Z. Chtourou, A Markov game privacy preserving
poral correlations based outlier & event detection in wireless sensor networks, model in retail applications, in: Proceedings of the IEEE MowNet, 2017.
in: Proceedings of the IEEE Wireless Communications and Networking Confer- [47] PhysioBank ATM., https://www.physionet.org/cgi-bin/atm/ATM (accessed 30-
ence (WCNC), Paris, France, 2012, pp. 2048–2053. 1–4. 05-2017).
[16] P.A. Jiang, A new method for node fault detection in wireless sensor networks, [48] M. Ali, H. Moungla, A. Mehaoua, Energy aware competitiveness power control
Sensors 9 (2) (2009) 1282–1294. in relay-assisted interference body networks, arXiv:1701.08295v1, 2017.
[17] N. Shahid, I.H. Naqvi, S.B. Qaisar, Characteristics and classification of outlier [49] Y. Liao, M.S. Leeson, M.D. Higgins, C. Bai, Analysis of In-to-Out wireless body
detection techniques for wireless sensor networks in harsh environments: a area network systems: towards qos-aware health internet of things applica-
survey, Artif. Intell. Rev. 43 (2) (2015) 193–228. tions, J. Electr. 5 (3) (2016) 1–26.
[18] O. Salem, Y. Liu, A. Mehaoua, Anomaly detection in medical wireless sensor
networks, J. Comput. Sci. Eng. 7 (4) (2013) 272–284. Amel Arfaoui received the Engineering Diploma from the
[19] M. Xie, J. Hu, S. Guo, Segment-based anomaly detection with approximated Higher School of Telecommunication of Tunisia (Sup’Com,
sample covariance matrix in wireless sensor networks, IEEE Trans. Parallel Dis- Tunisia) in 2016. She is currently working toward joint
trib. Syst. PP (99) (2014) 1–1. Ph.D. degree in computer science with the DRIVE Lab,
[20] S.A. Haque, M. Rahman, S.M. Aziz, Sensor anomaly detection in wireless sensor university of burgundy, Nevers, France and the Higher
networks for healthcare, Sensors 15 (4) (2015) 8764–8786. School of telecommunication of Tunisia (Sup’Com). Her
[21] O. Salem, Y. Liu, A. Mehaoua, Anomaly detection in medical WSNs using research interests include adaptive security approaches in
enclosing ellipse and chisquare distance, in: Proceedings of the IEEE In- IoT, privacy preserving, Game theory, anomaly detection
ternational Conference on Communications (ICC’14), Sidney, Australia, 2014, and WBAN.
pp. 3658–3663.
[22] N. Shahid, I.H. Naqvi, S.B. Qaisar, Characteristics and classification of outlier
detection techniques for wireless sensor networks in harsh environments: a
survey, Artif. Intell. Rev. 43 (2) (2015) 193–228.
[23] J. Choi, B. Ahmed, R. Gutierrez-Osuna, Developpement and evaluation of an
Ali Kribche is an Associate Professor in the Institut Supérieur de l’Automobile et
ambulatory stress monitor based on wearable sensors, IEEE Trans. Inf. Technol.
des Transports (ISAT), Nevers, France. He received his Ph.D. from university of Tours,
Biomed. 16 (2) (2012) 279–286.
France in 2005. He is working on vehicular communications, sensor networks and
[24] M.S. Abdalzaher, Game theory meets wireless sensor networks security re-
signal processing.
quirements and threats Mitigation: a survey”, Sensors 16 (7) (2016) 1003.
[25] M.S. Abdalzaher, K. Seddik, O. Muta, A. Abdelrahman, Using Stackelberg game
to enhance node protection in WSNs, in: Proceedings of the 13th IEEE Annual Sidi Mohammed Senouci (M’06) received the Ph.D. de-
Consumer Communications and Networking Conference, 2016. gree in computer science from University of Paris 6,
[26] S. Shen, L. Huang, E. Fan, K. Hu, J. Liu, Q. Cao, Trust dynamics in WSNs: an Paris, France, in October 2003. Since September 2010,
evolutionary game-theoretic approach, J. Sens. 10 (2016) 1155. he has been a Full Professor with Institut Supérieur de
[27] A. Arfaoui, A. Ben Letaifa, A Kribeche, SM. Senouci, M. Hamdi, A stochastic l’Automobile et des Transports, a major French postgrad-
game for adaptive security in constrained wireless body area networks, in: uate school located in Nevers, France, and a component
Proceedings of the IEEE CCNC, Las Vegas, USA, 2018. of the University of Burgundy. He holds seven interna-
[28] Y. Zhang, N.A.S. Hamm, N. Meratnia, A. Stein, M. van de Voort, P.J.M. Havinga, tional patents on these topics and published his work
Statistics-based outlier detection for wireless sensor networks, Int. J. Geogr. Inf. in major IEEE conferences and renowned journals. His-
Sci. (GIS) vol. 26 (8) (2012) 1373–1392. research interests include vehicular communications, ad
[29] X. Su, L. Wu, P. Shi, Sensor networks with random link failures: distributed hoc and sensor networks, Transmission Control Protocol
filtering for T-S fuzzy systems, IEEE Trans. Ind. Inf. 9 (3) (2013) 1739–1750. over wireless, wireless and mesh networks, cooperative
[30] H. Fathallah, Smart badge for monitoring formaldehyde exposure concentra- networks, and performance evaluation. Prof. Senouci is a
tion, in: Proceedings of the International SEEDS Conference: Sustainable Eco- member of the IEEE Communications Society (ComSoc) and an Expert Senior of the
logical Engineering Design for Society„ Leeds, United Kingdom, 2015. French Society of Electricity and Electronics (SEE). He has been serving as a Techni-
[31] Z.G. Zhou, P. Tang, Improving time series anomaly detection based on expo- cal Program Committee (TPC) member of the following International Federation for
nentially weighted moving average (EWMA) of season-trend model residuals, Information Processing, Association for Computing Machinery, or IEEE conferences
Proceedings of the IEEE International Geoscience and Remote Sensing Sympo- and workshops (ICC, GLOBECOM, PIMRC, GIIS, VTC, WiVeC, MWCN, IWWAN, Wire-
sium (IGARSS). less Days, WITS, etc.). He is the Chair of the IEEE ComSoc Information Infrastructure
[32] Hedde HWJ Bosman, “Spatial anomaly detection in sensor networks using and Networking Technical Committee (2014–2016). He was a Cochair of the Ad Hoc
neighborhood information, Inf. Fusion vol.33 (2017) 41–56. and Sensor Networking Symposium in the 2011 IEEE Global Communications Con-
[33] Binoy Shubha, Sajjad Waheed, False alarm detection in wireless body sensor ference (GLOBECOM) and a Cochair of the Next Generation Networking Symposium
network using adaptive and intelligent approach, Commun. Appl. Electr. (CAE) in the 2012 IEEE International Conference on Communications. He was a Vice-Chair
3 (6) (2015) 1–9. of the Selected Areas in Communications Symposium in the 2010 IEEE Globecom, a
[34] Blaise Omer Yenké, Adaptive scheme for outliers detection in wireless sensor Cochair of the Vehicular Technology Conference Symposium in the 2010 IEEE Wire-
networks, Int. J. Comput. Netw. Commun. Secur. 5 (5) (2017) 105–114. less Communications and Mobile Computing Conference, and a TPC Cochair of the
[35] S. Kumar, T.W.S. Chow, M.G. Pecht, Approach to fault identification for elec- VehiCom2009 Workshop. He was the founding Chair of the Ubiroads2007 work-
tronic products using Mahalanobis distance, IEEE Trans. Instrum. Meas. 59 (8) shop. He was the Guest Editor of a special issue of the UBICC journal and was
(2010) 2055–2064. the Special Track Cochair in the 2008 International Symposium on Personal, Indoor
[36] H. Moosavi, F.M. Bui, Delay-Aware optimization of physical layer security in and Mobile Radio Communications (PIMRC) on intelligent transportation systems.
multi-hop wireless body area networks, IEEE Trans. Inf. Forens. Secur. 11 (9) He is a founding Coeditor of the IEEE ComSoc Ad Hoc and Sensor Network Techni-
(2016) 1928–1939. cal Committee Newsletter.
[37] M.M. Alam, E.B. Hamid, Interference mitigation and coexistence strategies in
IEEE 802.15.6 based wearable Body-to-Body networks”, in: Proceedings of the Mohamed Hamdi received the Engineering Diploma,
10th International Conference on Cognitive Radio Oriented Wireless Networks Master Diploma, and Ph.D. in Information and Communi-
(CROWNCOM), 2015. cation Technologies from the Engineering School of Com-
[38] S.J. Ambroziak, K. Turbic, C. Oliveira, L.M. Correia, R.J. Katulski, Fading mod- munications (Sup’Com, Tunisia) in 20 0 0, 20 02, and 20 05;
elling in dynamic off-body channels, in: Proceedings of the 10th European respectively. He is also recipient of the habilitation de-
Conference on Antennas and Propagation, 2016. gree in 2010. He is a Tunisian telecommunication scien-
[39] P. Zahariev, G.V. Hristov, T.B. Iliev, Study on the impact of node density and tist in the field of network security, mobile wireless sen-
sink location in WSN, in: Technological Developments in Networking, Educa- sor networks, and image processing. He has introduced
tion and Automation, 2010, pp. 539–542. new techniques for security policy engineering and mul-
[40] M. Gholipour, A.T. Haghighat, M.R. Meybodi, Hop-by-hop traffic-aware routing timedia encryption. He passed prestigious security certifi-
to congestion control in wireless sensor networks, EURASIP J. Wirel. Commun. cations including the Certified Information Systems Secu-
Netw. 15 (1) (2015) 1–13. rity Professional, the Cisco Certified Security Professional,
[41] M.H. Anisi, S.A. Razak, M.A. Ngadi, An overview of data routing approaches for and the Red Hat Certified Engineer. Dr. Hamdi is the co-
wireless sensor networks, Sensors 12 (4) (2012) 3964–3996. authored of more than 100 scientific publications published in international jour-
[42] C. Titouna1, M. Aliouat, M. Gueroui, FDS: fault detection scheme for wireless nals, books, and conferences. His-major research contributions relate to network
sensor networks”, Wirel. Pers. Commun. 86 (2) (Jan. 2016) 549–562. security engineering, multimedia transmission, and wireless sensor networks. He
[43] A. De Paola, P. Ferraro, S. Gaglio, G. Lo Re, S.K Das, An adaptive Bayesian sys- has been invited in many international conferences to give keynote speeches and
tem for context-aware data fusion in smart environments, IEEE Trans. Mob. tutorials. He is member of the IEEE Communication and Information Security Tech-
Comput. 16 (6) (2017) 1502–1515. nical Committee and he was selected for the Nomination and Election Committee
[44] G.L. Re, F. Milazzo, M. Ortolani, A distributed bayesian approach to fault detec- organizing the elections held in Honolulu (Hawaii) during the Globecom 2009 con-
tion in sensor networks, in: Proceedings of the IEEE Global Communications ference.
Conference (GLOBECOM), 2012.